Although the GDPR is explicit about the DPO’s roles and responsibilities, it is a complex and very detailed role and there are many tasks that are implied in order to achieve the goal of ensuring organisational compliance.
Once we have established a baseline of compliance, we shall provide outsourced professional services to ensure that the organisation continues to be compliant. Activities will include, but not be limited to, the following:
- Ensuring lawful processing at all times; protecting the rights of the Data Subjects.
- Ensuring that proof of consent is recorded.
- Advising on Data Protection by Design and Default
- Advising on data retention / deletion policies and processes.
- Annual refresher training on the GDPR.
- Providing Data Processing Impact Assessments (DPIAs) and advising on risk mitigation. Any new data processing activities must have this risk assessment done.
- Maintaining the Data Processing Activity Log.
- Maintaining the Data Asset Risk Register.
- Maintaining the Data Asset Register (this includes paper copies of files, microfiches as well as electronic storage media).
- Communicating with Data Subjects when they send requests regarding their data.
- Advising on the GDPR implications, thereby ensuring compliance, for any new data processing activities.
- Advising on contractual obligations between the Data Controller and Data Processor as well as other supplier contracts.
- Planning for a Personal Data Breach, including training all senior managers and running practice exercises.
- Liaison with the Supervisory Authority (currently the Information Commissioner’s Office (ICO)) and other regulatory bodies. If there is a personal data breach the ICO must be informed within 72 hours.
- Managing the legal, reputational and procedural requirements following a personal data breach.